Microsoft has addressed six new vulnerabilities with Security Bulletin (MS02-023) and a two-megabyte cumulative patch for Internet Explorer 5.01, 5.5, and 6.0. Within hours of Microsoft's release of MS02-023, Israeli-based GreyMagic sent me an e-mail indicating that there were some mistakes in the text of the security bulletin and explaining why the patch only partially fixed one of the problems.
This cumulative patch fixes a number of IE vulnerabilities discovered up to this point and addresses six new threats.
The first of the new threats is "Cross-site Scripting in Local HTML Resource" (CAN-2002-0189). Microsoft says that this problem, which I described somewhat differently in an earlier column, could cause a script to run in the local computer zone as if the user activated it.
GreyMagic contradicted Microsoft’s statement that this is "a cross-site scripting vulnerability in a Local HTML Resource," explaining that the problem is actually in the way dialogArguments’ security settings are bypassed.
GreyMagic also pointed out that Microsoft is incorrect in saying that this problem is limited to IE 6 and claims that the same problem is found in IE 5 and IE 5.5. Since this cumulative patch doesn’t address the problem in those versions, users are still vulnerable even after applying this patch.
GreyMagic reported that “Microsoft did not understand the problem. They only patched a symptom of this vulnerability, not its root cause. As a result of that incomplete 'patch,' IE 5 and IE 5.5 are still very much vulnerable to this attack in other resources.” The company has posted a demonstration on its Web site.
Another vulnerability is "Local Information Disclosure Through HTML Object" (CAN-2002-0191). This vulnerability in HTML objects' CSSes could allow an attacker to read but not modify or delete data on a user’s system. The attack requires that the user visit a Web site or open an HTML e-mail containing the specially crafted exploit code.
The "Information Disclosure Vulnerability Cookie Scripts" threat (CAN-2002-0192) could allow a Web site to access cookies it shouldn't have access to.
The "Zone Spoofing Through Malformed Web Page" vulnerability (CAN-2002-0190) could, in rare cases, allow malicious Web pages to be treated as if they were in the Trusted Sites zone.
The two newly discovered variations of Content Disposition variants (CAN-2002-0193 and CAN-2002-0188) are a new twist on a problem which Microsoft says was addressed in the cumulative patch supplied with MS01-058. The new problems affect the way IE handles downloads when there are intentionally malformed Content-Disposition and Content-Type headers.
"CAN" numbers (e.g., CAN-2002-0188) indicate “candidate” status for the vulnerability and means that they are still subject to review by the Mitre CVE Editorial Board. CAN and CVE designations are intended to make it easier to identify specific vulnerabilities and prevent confusion among different threats.
Microsoft Internet Explorer releases 5.01, 5.5, and 6.0 are affected by these threats. Microsoft no longer supports earlier versions of IE, although they could be affected by these flaws.
Microsoft rates a number of the covered vulnerabilities as critical and recommends that any users of IE 5, IE 5.5, or IE 6 apply this patch immediately.
Cross-Site Scripting in Local HTML Resource is critical for IE 6.0 clients and moderate for servers. According to Microsoft, this poses no threat to IE 5.01 and IE 5.5, but if GreyMagic is correct—and as far as I can determine, it is—IE 5.01 occasionally and IE 5.5 always remain vulnerable to this threat even after this patch.
The Local Information Disclosure Through HTML Object threat affects IE 5.01, IE 5.5, and IE 6.0 and is critical for client systems and moderate for servers.
The Information Disclosure Vulnerability Cookie Scripts threat affects IE 5.5 and IE 6.0 and is critical for client systems and moderate for servers. According to Microsoft, IE 5.01 is not vulnerable.
The Zone Spoofing Through Malformed Web Page flaw is low for all. The Content Disposition variants are moderate for IE 5.01 and 6.0 servers and clients and pose no risk for IE 5.5 client or server.
Cross-Site Scripting in Local HTML Resource
Microsoft says that there is no way to automate this attack because it requires the user to click on a hyperlink. However, according to GreyMagic, “This is simply wrong; the user doesn't have to click anything for this issue to be exploited. It can run automatically.” Microsoft also indicated that correctly updated and patched versions of Outlook, Outlook Express, and Outlook 2002 SP1 now open all HTML code in the Restricted Sites Zone, which would block this attack.
Local Information Disclosure Through HTML Object
Attackers must know the name and directory for the file they want to exploit. In addition, the file must contain a specific ASCII character or the attack will fail. Recently patched versions of Outlook and Outlook Express open HTML e-mails in the restricted security zone, which will block this attack as well. Outlook 2002 SP1 with Read As Plain Text enabled for HTML e-mail would also block the attack.
Information Disclosure Vulnerability Cookie Scripts
Microsoft says that an attack would require that the exact name of the cookie be known. The attack requires the user to click on a link. In other words, the attack can’t be automated, and the same patches and versions described as being safe in the previous vulnerability (HTML Object CSS) will also be protected from this attack.
Zone Spoofing Through Malformed Web Page
Any attack would require direct NetBIOS connection between the user and the attacker’s Web site. A firewall and most ISPs' standard filtering will block the attack. Other vectors of attack using this vulnerability will require a detailed knowledge of the user’s system settings, and default settings won't be vulnerable.
Content Disposition variants
Several technical aspects of this attack make it unlikely that it would be successful, including the requirement that the attacker have intimate knowledge of the user’s system. This indicates that the attack would probably be successful only if made by an insider, and DNS blocking would foil the attack.
For the moment, applying the patch supplied with MS02-023 appears to fix all known problems in IE 6.0. Since Microsoft hasn’t documented the dialogArguments (Cross-Site Scripting) vulnerability for IE 5.01 and IE 5.5 and, according to GreyMagic, actually patched only a portion of the problem, the current patch doesn’t fix this vulnerability in IE 5.01 or IE 5.5. There remains some doubt as to whether IE 6.0 is correctly patched, since the explanation of this vulnerability as given by Microsoft in its security bulletin is in dispute by outside security experts who claim it wasn’t properly addressed. The other threats to IE 5.01 and IE 5.5 appear to be corrected by this patch.
Thanks to GreyMagic for immediately notifying me of problems it discovered with this cumulative patch. I contacted Microsoft for clarification on this matter, but at the time of this writing, I hadn't heard back. I will post any response from Microsoft in the discussion section below.